An estimated 3 million Transport Layer Security (TLS) certificates issued by Let’s Encrypt are set to be revoked due to a Certificate Authority Authorization (CAA) bug. This represents 2.6% of the more than 116 million active certificates issued by Let’s Encrypt.
The issuer Let’s Encrypt did contact all the certificate holders affected by the bug, and also created a tool and a list of serial numbers to determine if your TLS certificate is affected by the bug. Use this link to check your site’s host name if your Let’s Encrypt-issued certificate is affected. Here is the list of all affected serial numbers.
Let’s Encrypt have not set an exact time for revocation of the certificates, however, they say that the earliest timeframe will be UTC 00:00.
It is also possible that some certificate holders may have received false-positive emails that they’re affected, but they may have received that alert erroneously, either because the certificate was issued in the last few days after the bug was fixed, or by not meeting certain timing criteria necessary for the bug to trigger, adding to confusion.
What really happened technically?
According to Let’s Encrypt, Boulder, the software builder used by Let’s Encrypt’s CA, checks CAA records for a domain name at the same time that it verifies that a certificate requester controls that domain. Most subscribers to the service issue a certificate immediately after they validate domain control, however, Let’s Encrypt trusts that validation for 30 days.
Due to that trust issue, they sometimes have to recheck CAA records a second time, just prior to issuing the certificate. The timeframe for rechecking is 8 hours, meaning that any domain name validated more than 8 hours ago requires a recheck.
See the explanation below
The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.
Let’s Encrypt confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance two minutes later. They deployed a fix at 05:22 UTC and re-enabled certificate issuance at that time.
Security researcher Scott Helme, who Tweeted out his investigation had this to say:
Possibly worth noting that while some of these numbers are really large, it represents only ~2.6% of currently active certs that are impacted. Within that ~2.6% there are *significant* numbers of duplicate certs with the exact same CN/SAN list but a different serial number.
— Scott Helme (@Scott_Helme) March 3, 2020
Will anything happen if I don’t fix this?
To explain a bit more, Secure TLS certificates always ensure that your site visitors receive encrypted traffic between their browsers and your website. Because of the bug, your site visitors might see a certificate revoked error, a “not secure” warning, or other security warnings in their browser that may erode trust in your site.
Wonderful!, just before you go: Please subscribe to our website for the latest tips, ideas, and recommendations to make your WordPress site wonderful.